Researchers said they have uncovered yet another mass compromise of home and small-office wireless routers, this one being used to make malicious configuration changes to more than 300,000 devices made by D-Link, Micronet, Tenda, TP-Link, and others.

So far, the attacks have hijacked more than 300,000 servers in a wide range of countries, including Vietnam, India, Italy, Thailand, and Colombia. Each compromise has the potential to redirect virtually all connected end users to malicious websites that attempt to steal banking passwords or push booby-trapped software, the Team Cymru researchers warned. The campaign comes weeks after researchers from several unrelated organizations uncovered separate ongoing mass hacks of other routers, including a worm that hit thousands of Linksys routers and the exploit of a critical flaw in Asus routers that exposes the contents of hard drives connected by USB.

Yet another recently discovered campaign targeting online bank customers in Poland worked in part by modifying home routers' DNS settings. In turn, the phony domain name resolvers listed in the router settings redirected victims' computers, tablets, and smartphones to fraudulent websites masquerading as an authentic bank service. The malicious sites would then steal the victims' login credentials. The router "pharming" attack reported by Team Cymru appears to be part of a distinct campaign given its much larger size, geographic diversity, and the fact that so far there are no indications that DNS lookups for banking sites are affected.

"The scale of this attack suggests a more traditional criminal intent, such as search result redirection, replacing advertisements, or installing drive-by downloads; all activities that need to be done on a large scale for profitability," Monday's report stated. "The more manually intensive bank account transfers seen in Poland would be difficult to conduct against such a large and geographically-disparate victim group."

Have I been hacked?

The telltale sign a router has been compromised is DNS settings that have been changed to 5.45.75.11 and 5.45.76.36. Team Cymru researchers contacted the provider that hosts those two IP addresses but have yet to receive a response. The researchers also privately contacted representatives of all manufactures of routers being successfully hacked in this latest campaign.

Monday's report is the latest to underscore the growing real-world attacks that target weaknesses in routers, modems, and other devices running embedded software. Once the domain of computers running Microsoft operating systems, these hacks in some cases exploit software bugs in the underlying code. In other cases, they seize on the use of default passwords or other errors made by the people using the targeted devices.

"As embedded systems begin to proliferate in both corporate and consumer networks, greater attention needs to be given to what vulnerabilities these devices introduce," the Team Cymru researchers wrote. "Security for these devices is typically a secondary concern to cost and usability and has traditionally been overlooked by both manufacturers and consumers."

Given the increasing success in compromising home and small-office routers, users should regularly review their devices to make sure they're not vulnerable to the most common types of exploits. The most important thing readers should do is to make sure the device is running the latest-available version of the firmware. Readers should also disable remote administration capabilities if they're not needed. If they are needed, users should limit the remote IP addresses that can access the router. It's also a good idea to regularly check DNS settings to ensure they haven't been altered. When possible, it can be helpful to disable a router's Web interface in favor of a command line since the interfaces are often susceptible to cross-site request forgeries and other types of attacks that target Web-programming weaknesses.

Cross-site request forgeries techniques are one of the most widely used for hijacking routers. In the past five months, several exploits have been published showing how to use them to compromise routers made by Zyxel and TP-Link. Interestingly, such attacks often must be launched from another device already connected to the targeted router. It's not immediately clear how that happens. One possibility is that an attacker website bounces malicious code off a connected device, which then relays it to the router.

Promoted Comments

I keep saying this over and over. If you are using an inexpensive home type router, get rid of it and get a home office /small business router instead, made by a real security appliance vendor. Yes you will pay $100-$300 but it is absolutely worth it. Cisco ASA 5505, Mikrotik Routerboard, Watchguard, Juniper, Sonicwall. There are others.

The primary job of your router is not ease of use, or extended range wireless, or how many Ethernet ports it has, or any of the bloody inconsequential features they advertise. The primary job of that router is to keep people out. If it isn't doing that then what's the point?

Another frequent recommendation for those who want to use consumer-grade routers is to switch the firmware to DD-WRT. I recently noticed that Buffalo makes a wireless router that already includes DD-WRT as its firmware, and it's priced competitively with decent home routers.

IMO one of the biggest drawbacks to using a small-business firewall in the home is that there's typically an annual charge for updates. It seems like this Buffalo - or any router than can use the DD-WRT firmware - would give decent security without the cost of a subscription.